suricata
app-layer-frames.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2024 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Victor Julien <victor@inliniac.net>
22  *
23  */
24 
25 #include "suricata-common.h"
26 #include "util-print.h"
27 
28 #include "flow.h"
29 #include "stream-tcp.h"
30 #include "app-layer-frames.h"
31 #include "app-layer-parser.h"
32 
33 struct FrameConfig {
34  SC_ATOMIC_DECLARE(uint64_t, types);
35 };
36 /* This array should be allocated to contain g_alproto_max protocols. */
37 static struct FrameConfig *frame_config;
38 
39 void FrameConfigInit(void)
40 {
41  frame_config = SCCalloc(g_alproto_max, sizeof(struct FrameConfig));
42  if (unlikely(frame_config == NULL)) {
43  FatalError("Unable to alloc frame_config.");
44  }
45  for (AppProto p = 0; p < g_alproto_max; p++) {
46  SC_ATOMIC_INIT(frame_config[p].types);
47  }
48 }
49 
50 void FrameConfigDeInit(void)
51 {
52  SCFree(frame_config);
53 }
54 
55 void FrameConfigEnableAll(void)
56 {
57  const uint64_t bits = UINT64_MAX;
58  for (AppProto p = 0; p < g_alproto_max; p++) {
59  struct FrameConfig *fc = &frame_config[p];
60  SC_ATOMIC_OR(fc->types, bits);
61  }
62 }
63 
64 void FrameConfigEnable(const AppProto p, const uint8_t type)
65 {
66  const uint64_t bits = BIT_U64(type);
67  struct FrameConfig *fc = &frame_config[p];
68  SC_ATOMIC_OR(fc->types, bits);
69 }
70 
71 static inline bool FrameConfigTypeIsEnabled(const AppProto p, const uint8_t type)
72 {
73  struct FrameConfig *fc = &frame_config[p];
74  const uint64_t bits = BIT_U64(type);
75  const bool enabled = (SC_ATOMIC_GET(fc->types) & bits) != 0;
76  return enabled;
77 }
78 
79 #ifdef DEBUG
80 static void FrameDebug(const char *prefix, const Frames *frames, const Frame *frame)
81 {
82  const char *type_name = "unknown";
83  if (frame->type == FRAME_STREAM_TYPE) {
84  type_name = "stream";
85  } else if (frames != NULL) {
86  type_name = AppLayerParserGetFrameNameById(frames->ipproto, frames->alproto, frame->type);
87  }
88  SCLogDebug("[%s] %p: frame:%p type:%u/%s id:%" PRIi64 " flags:%02x offset:%" PRIu64
89  ", len:%" PRIi64 ", inspect_progress:%" PRIu64 ", events:%u %u/%u/%u/%u",
90  prefix, frames, frame, frame->type, type_name, frame->id, frame->flags, frame->offset,
91  frame->len, frame->inspect_progress, frame->event_cnt, frame->events[0],
92  frame->events[1], frame->events[2], frame->events[3]);
93 }
94 #else
95 #define FrameDebug(prefix, frames, frame)
96 #endif
97 
98 /**
99  * \note "open" means a frame that has no length set (len == -1)
100  * \todo perhaps we can search backwards */
101 Frame *FrameGetLastOpenByType(Frames *frames, const uint8_t frame_type)
102 {
103  Frame *candidate = NULL;
104 
105  SCLogDebug(
106  "frames %p cnt %u, looking for last of type %" PRIu8, frames, frames->cnt, frame_type);
107  for (uint16_t i = 0; i < frames->cnt; i++) {
108  if (i < FRAMES_STATIC_CNT) {
109  Frame *frame = &frames->sframes[i];
110  FrameDebug("get_by_id(static)", frames, frame);
111  if (frame->type == frame_type && frame->len == -1)
112  candidate = frame;
113  } else {
114  const uint16_t o = i - FRAMES_STATIC_CNT;
115  Frame *frame = &frames->dframes[o];
116  FrameDebug("get_by_id(dynamic)", frames, frame);
117  if (frame->type == frame_type && frame->len == -1)
118  candidate = frame;
119  }
120  }
121  return candidate;
122 }
123 
124 Frame *FrameGetById(Frames *frames, const int64_t id)
125 {
126  SCLogDebug("frames %p cnt %u, looking for %" PRIi64, frames, frames->cnt, id);
127  for (uint16_t i = 0; i < frames->cnt; i++) {
128  if (i < FRAMES_STATIC_CNT) {
129  Frame *frame = &frames->sframes[i];
130  FrameDebug("get_by_id(static)", frames, frame);
131  if (frame->id == id)
132  return frame;
133  } else {
134  const uint16_t o = i - FRAMES_STATIC_CNT;
135  Frame *frame = &frames->dframes[o];
136  FrameDebug("get_by_id(dynamic)", frames, frame);
137  if (frame->id == id)
138  return frame;
139  }
140  }
141  return NULL;
142 }
143 
144 Frame *FrameGetByIndex(Frames *frames, const uint32_t idx)
145 {
146  if (idx >= frames->cnt)
147  return NULL;
148 
149  if (idx < FRAMES_STATIC_CNT) {
150  Frame *frame = &frames->sframes[idx];
151  FrameDebug("get_by_idx(s)", frames, frame);
152  return frame;
153  } else {
154  const uint32_t o = idx - FRAMES_STATIC_CNT;
155  Frame *frame = &frames->dframes[o];
156  FrameDebug("get_by_idx(d)", frames, frame);
157  return frame;
158  }
159 }
160 
161 static Frame *FrameNew(Frames *frames, uint64_t offset, int64_t len)
162 {
163  BUG_ON(frames == NULL);
164 
165  if (frames->cnt < FRAMES_STATIC_CNT) {
166  Frame *frame = &frames->sframes[frames->cnt];
167  frames->sframes[frames->cnt].offset = offset;
168  frames->sframes[frames->cnt].len = len;
169  frames->sframes[frames->cnt].id = ++frames->base_id;
170  frames->cnt++;
171  return frame;
172  } else if (frames->dframes == NULL) {
173  BUG_ON(frames->dyn_size != 0);
174  BUG_ON(frames->cnt != FRAMES_STATIC_CNT);
175 
176  frames->dframes = SCCalloc(8, sizeof(Frame));
177  if (frames->dframes == NULL) {
178  return NULL;
179  }
180  frames->cnt++;
181  BUG_ON(frames->cnt != FRAMES_STATIC_CNT + 1);
182 
183  frames->dyn_size = 8;
184  frames->dframes[0].offset = offset;
185  frames->dframes[0].len = len;
186  frames->dframes[0].id = ++frames->base_id;
187  return &frames->dframes[0];
188  } else {
189  BUG_ON(frames->cnt < FRAMES_STATIC_CNT);
190 
191  /* need to handle dynamic storage of frames now */
192  const uint16_t dyn_cnt = frames->cnt - FRAMES_STATIC_CNT;
193  if (dyn_cnt < frames->dyn_size) {
194  BUG_ON(frames->dframes == NULL);
195 
196  // fall through
197  } else {
198  if (frames->dyn_size == 256) {
199  SCLogDebug("limit reached! 256 dynamic frames already");
200  // limit reached
201  // TODO figure out if this should lead to an event of sorts
202  return NULL;
203  }
204 
205  /* realloc time */
206  uint16_t new_dyn_size = frames->dyn_size * 2;
207  uint32_t new_alloc_size = new_dyn_size * sizeof(Frame);
208 
209  void *ptr = SCRealloc(frames->dframes, new_alloc_size);
210  if (ptr == NULL) {
211  return NULL;
212  }
213 
214  memset((uint8_t *)ptr + (frames->dyn_size * sizeof(Frame)), 0x00,
215  (frames->dyn_size * sizeof(Frame)));
216  frames->dframes = ptr;
217  frames->dyn_size = new_dyn_size;
218  }
219 
220  frames->cnt++;
221  frames->dframes[dyn_cnt].offset = offset;
222  frames->dframes[dyn_cnt].len = len;
223  frames->dframes[dyn_cnt].id = ++frames->base_id;
224  return &frames->dframes[dyn_cnt];
225  }
226 }
227 
228 static void FrameClean(Frame *frame)
229 {
230  memset(frame, 0, sizeof(*frame));
231 }
232 
233 static void FrameCopy(Frame *dst, Frame *src)
234 {
235  memcpy(dst, src, sizeof(*dst));
236 }
237 
238 #ifdef DEBUG
239 static void AppLayerFrameDumpForFrames(const char *prefix, const Frames *frames)
240 {
241  SCLogDebug("prefix: %s", prefix);
242  for (uint16_t i = 0; i < frames->cnt; i++) {
243  if (i < FRAMES_STATIC_CNT) {
244  const Frame *frame = &frames->sframes[i];
245  FrameDebug(prefix, frames, frame);
246  } else {
247  const uint16_t o = i - FRAMES_STATIC_CNT;
248  const Frame *frame = &frames->dframes[o];
249  FrameDebug(prefix, frames, frame);
250  }
251  }
252  SCLogDebug("prefix: %s", prefix);
253 }
254 #endif
255 
256 static inline uint64_t FrameLeftEdge(const TcpStream *stream, const Frame *frame)
257 {
258  const int64_t app_progress = STREAM_APP_PROGRESS(stream);
259 
260  const int64_t frame_offset = frame->offset;
261  const int64_t frame_data = app_progress - frame_offset;
262 
263  SCLogDebug("frame_offset %" PRIi64 ", frame_data %" PRIi64 ", frame->len %" PRIi64,
264  frame_offset, frame_data, frame->len);
265  BUG_ON(frame_offset > app_progress);
266 
267  /* length unknown, make sure to have at least 2500 */
268  if (frame->len < 0) {
269  if (frame_data <= 2500) {
270  SCLogDebug("got <= 2500 bytes (%" PRIu64 "), returning offset %" PRIu64, frame_data,
271  frame_offset);
272  return frame_offset;
273  } else {
274  SCLogDebug("got > 2500 bytes (%" PRIu64 "), returning offset %" PRIu64, frame_data,
275  (frame_offset + (frame_data - 2500)));
276  return frame_offset + (frame_data - 2500);
277  }
278 
279  /* length specified */
280  } else {
281  /* have all data for the frame, we can skip it */
282  if (frame->len <= frame_data) {
283  uint64_t x = frame_offset + frame_data;
284  SCLogDebug("x %" PRIu64, x);
285  return x;
286  /*
287 
288  [ stream <frame_data> ]
289  [ frame .......]
290 
291  */
292  } else if (frame_data < 2500) {
293  uint64_t x = frame_offset;
294  SCLogDebug("x %" PRIu64, x);
295  return x;
296  } else {
297  uint64_t x = frame_offset + (frame_data - 2500);
298  SCLogDebug("x %" PRIu64, x);
299  return x;
300  }
301  }
302 }
303 
304 /** Stream buffer slides forward, we need to update and age out
305  * frame offsets/frames. Aging out means we move existing frames
306  * into the slots we'd free up.
307  *
308  * Start:
309  *
310  * [ stream ]
311  * [ frame ...........]
312  * offset: 2
313  * len: 19
314  *
315  * Slide:
316  * [ stream ]
317  * [ frame .... .]
318  * offset: 2
319  * len: 19
320  *
321  * Slide:
322  * [ stream ]
323  * [ frame ........... ]
324  * offset: 2
325  * len: 19
326  */
327 static int FrameSlide(const char *ds, Frames *frames, const TcpStream *stream, const uint32_t slide)
328 {
329  SCLogDebug("start: left edge %" PRIu64 ", left_edge_rel %u, stream base %" PRIu64
330  ", next %" PRIu64,
331  (uint64_t)frames->left_edge_rel + STREAM_BASE_OFFSET(stream), frames->left_edge_rel,
332  STREAM_BASE_OFFSET(stream), STREAM_BASE_OFFSET(stream) + slide);
333  BUG_ON(frames == NULL);
334  SCLogDebug("%s frames %p: sliding %u bytes", ds, frames, slide);
335  uint64_t le = STREAM_APP_PROGRESS(stream);
336  const uint64_t next_base = STREAM_BASE_OFFSET(stream) + slide;
337  const uint16_t start = frames->cnt;
338  uint16_t removed = 0;
339  uint16_t x = 0;
340  for (uint16_t i = 0; i < frames->cnt; i++) {
341  if (i < FRAMES_STATIC_CNT) {
342  Frame *frame = &frames->sframes[i];
343  FrameDebug("slide(s)", frames, frame);
344  if (frame->len >= 0 && frame->offset + frame->len <= next_base) {
345  // remove by not incrementing 'x'
346  SCLogDebug("removing %p id %" PRIi64, frame, frame->id);
347  FrameClean(frame);
348  removed++;
349  } else {
350  Frame *nframe = &frames->sframes[x];
351  FrameCopy(nframe, frame);
352  if (frame != nframe) {
353  FrameClean(frame);
354  }
355  le = MIN(le, FrameLeftEdge(stream, nframe));
356  x++;
357  }
358  } else {
359  const uint16_t o = i - FRAMES_STATIC_CNT;
360  Frame *frame = &frames->dframes[o];
361  FrameDebug("slide(d)", frames, frame);
362  if (frame->len >= 0 && frame->offset + frame->len <= next_base) {
363  // remove by not incrementing 'x'
364  SCLogDebug("removing %p id %" PRIi64, frame, frame->id);
365  FrameClean(frame);
366  removed++;
367  } else {
368  Frame *nframe;
369  if (x >= FRAMES_STATIC_CNT) {
370  nframe = &frames->dframes[x - FRAMES_STATIC_CNT];
371  } else {
372  nframe = &frames->sframes[x];
373  }
374  FrameCopy(nframe, frame);
375  if (frame != nframe) {
376  FrameClean(frame);
377  }
378  le = MIN(le, FrameLeftEdge(stream, nframe));
379  x++;
380  }
381  }
382  }
383  frames->cnt = x;
384  uint64_t o = STREAM_BASE_OFFSET(stream) + slide;
385  DEBUG_VALIDATE_BUG_ON(o > le);
386  DEBUG_VALIDATE_BUG_ON(le - o > UINT32_MAX);
387  frames->left_edge_rel = (uint32_t)(le - o);
388 
389 #ifdef DEBUG
390  SCLogDebug("end: left edge %" PRIu64 ", left_edge_rel %u, stream base %" PRIu64
391  " (+slide), cnt %u, removed %u, start %u",
392  (uint64_t)frames->left_edge_rel + STREAM_BASE_OFFSET(stream) + slide,
393  frames->left_edge_rel, STREAM_BASE_OFFSET(stream) + slide, frames->cnt, removed, start);
394  char pf[32] = "";
395  snprintf(pf, sizeof(pf), "%s:post_slide", ds);
396  AppLayerFrameDumpForFrames(pf, frames);
397 #endif
398  BUG_ON(x != start - removed);
399  return 0;
400 }
401 
402 void AppLayerFramesSlide(Flow *f, const uint32_t slide, const uint8_t direction)
403 {
404  FramesContainer *frames_container = AppLayerFramesGetContainer(f);
405  if (frames_container == NULL)
406  return;
407  Frames *frames;
408  TcpSession *ssn = f->protoctx;
409  TcpStream *stream;
410  if (direction == STREAM_TOSERVER) {
411  stream = &ssn->client;
412  frames = &frames_container->toserver;
413  FrameSlide("toserver", frames, stream, slide);
414  } else {
415  stream = &ssn->server;
416  frames = &frames_container->toclient;
417  FrameSlide("toclient", frames, stream, slide);
418  }
419 }
420 
421 static void FrameFreeSingleFrame(Frames *frames, Frame *r)
422 {
423  FrameDebug("free", frames, r);
424  FrameClean(r);
425 }
426 
427 static void FramesClear(Frames *frames)
428 {
429  BUG_ON(frames == NULL);
430 
431  SCLogDebug("frames %u", frames->cnt);
432  for (uint16_t i = 0; i < frames->cnt; i++) {
433  if (i < FRAMES_STATIC_CNT) {
434  Frame *r = &frames->sframes[i];
435  SCLogDebug("removing frame %p", r);
436  FrameFreeSingleFrame(frames, r);
437  } else {
438  const uint16_t o = i - FRAMES_STATIC_CNT;
439  Frame *r = &frames->dframes[o];
440  SCLogDebug("removing frame %p", r);
441  FrameFreeSingleFrame(frames, r);
442  }
443  }
444  frames->cnt = 0;
445 }
446 
447 void FramesFree(Frames *frames)
448 {
449  BUG_ON(frames == NULL);
450  FramesClear(frames);
451  SCFree(frames->dframes);
452  frames->dframes = NULL;
453 }
454 
455 /** \brief create new frame using a pointer to start of the frame
456  */
457 Frame *AppLayerFrameNewByPointer(Flow *f, const StreamSlice *stream_slice,
458  const uint8_t *frame_start, const int64_t len, int dir, uint8_t frame_type)
459 {
460  SCLogDebug("frame_start:%p stream_slice->input:%p stream_slice->offset:%" PRIu64, frame_start,
461  stream_slice->input, stream_slice->offset);
462 
463  if (!(FrameConfigTypeIsEnabled(f->alproto, frame_type)))
464  return NULL;
465 
466  /* workarounds for many (unit|fuzz)tests not handling TCP data properly */
467 #if defined(UNITTESTS) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
468  if (f->proto == IPPROTO_TCP && f->protoctx == NULL)
469  return NULL;
470  if (frame_start < stream_slice->input ||
471  frame_start > stream_slice->input + stream_slice->input_len)
472  return NULL;
473 #endif
474  BUG_ON(frame_start < stream_slice->input);
475  BUG_ON(stream_slice->input == NULL);
476  BUG_ON(f->proto == IPPROTO_TCP && f->protoctx == NULL);
477 
478  ptrdiff_t ptr_offset = frame_start - stream_slice->input;
479 #ifdef DEBUG
480  uint64_t offset = ptr_offset + stream_slice->offset;
481  SCLogDebug("flow %p direction %s frame %p starting at %" PRIu64 " len %" PRIi64
482  " (offset %" PRIu64 ")",
483  f, dir == 0 ? "toserver" : "toclient", frame_start, offset, len, stream_slice->offset);
484 #endif
485  BUG_ON(f->alparser == NULL);
486 
487  FramesContainer *frames_container = AppLayerFramesSetupContainer(f);
488  if (frames_container == NULL)
489  return NULL;
490 
491  Frames *frames;
492  if (dir == 0) {
493  frames = &frames_container->toserver;
494  } else {
495  frames = &frames_container->toclient;
496  }
497 
498  uint64_t abs_frame_offset = stream_slice->offset + ptr_offset;
499 
500  Frame *r = FrameNew(frames, abs_frame_offset, len);
501  if (r != NULL) {
502  r->type = frame_type;
503  FrameDebug("new_by_ptr", frames, r);
504  }
505  return r;
506 }
507 
508 static Frame *AppLayerFrameUdp(
509  Flow *f, const uint32_t frame_start_rel, const int64_t len, int dir, uint8_t frame_type)
510 {
511  BUG_ON(f->proto != IPPROTO_UDP);
512 
513  if (!(FrameConfigTypeIsEnabled(f->alproto, frame_type)))
514  return NULL;
515 
516  FramesContainer *frames_container = AppLayerFramesSetupContainer(f);
517  if (frames_container == NULL)
518  return NULL;
519 
520  Frames *frames;
521  if (dir == 0) {
522  frames = &frames_container->toserver;
523  } else {
524  frames = &frames_container->toclient;
525  }
526 
527  Frame *r = FrameNew(frames, frame_start_rel, len);
528  if (r != NULL) {
529  r->type = frame_type;
530  }
531  return r;
532 }
533 
534 /** \brief create new frame using a relative offset from the start of the stream slice
535  */
536 Frame *AppLayerFrameNewByRelativeOffset(Flow *f, const StreamSlice *stream_slice,
537  const uint32_t frame_start_rel, const int64_t len, int dir, uint8_t frame_type)
538 {
539  if (!(FrameConfigTypeIsEnabled(f->alproto, frame_type)))
540  return NULL;
541 
542  /* workarounds for many (unit|fuzz)tests not handling TCP data properly */
543 #if defined(UNITTESTS) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
544  if (f->proto == IPPROTO_TCP && f->protoctx == NULL)
545  return NULL;
546  if (stream_slice->input == NULL)
547  return NULL;
548 #else
549  BUG_ON(stream_slice->input == NULL);
550 #endif
551  BUG_ON(f->proto == IPPROTO_TCP && f->protoctx == NULL);
552  BUG_ON(f->alparser == NULL);
553 
554  if (f->proto == IPPROTO_UDP) {
555  return AppLayerFrameUdp(f, frame_start_rel, len, dir, frame_type);
556  }
557 
558  FramesContainer *frames_container = AppLayerFramesSetupContainer(f);
559  if (frames_container == NULL)
560  return NULL;
561 
562  Frames *frames;
563  if (dir == 0) {
564  frames = &frames_container->toserver;
565  } else {
566  frames = &frames_container->toclient;
567  }
568 
569  const uint64_t frame_abs_offset = (uint64_t)frame_start_rel + stream_slice->offset;
570 #ifdef DEBUG_VALIDATION
571  const TcpSession *ssn = f->protoctx;
572  const TcpStream *stream = dir == 0 ? &ssn->client : &ssn->server;
573  BUG_ON(stream_slice->offset != STREAM_APP_PROGRESS(stream));
574  BUG_ON(frame_abs_offset > STREAM_APP_PROGRESS(stream) + stream_slice->input_len);
575 #endif
576  Frame *r = FrameNew(frames, frame_abs_offset, len);
577  if (r != NULL) {
578  r->type = frame_type;
579  }
580  return r;
581 }
582 
583 void AppLayerFrameDump(Flow *f)
584 {
585 #ifdef DEBUG
586  if (f->proto == IPPROTO_TCP && f->protoctx && f->alparser) {
587  FramesContainer *frames_container = AppLayerFramesGetContainer(f);
588  if (frames_container != NULL) {
589  AppLayerFrameDumpForFrames("toserver::dump", &frames_container->toserver);
590  AppLayerFrameDumpForFrames("toclient::dump", &frames_container->toclient);
591  }
592  }
593 #endif
594 }
595 
596 /** \brief create new frame using the absolute offset from the start of the stream
597  */
598 Frame *AppLayerFrameNewByAbsoluteOffset(Flow *f, const StreamSlice *stream_slice,
599  const uint64_t frame_start, const int64_t len, int dir, uint8_t frame_type)
600 {
601  if (!(FrameConfigTypeIsEnabled(f->alproto, frame_type)))
602  return NULL;
603 
604  /* workarounds for many (unit|fuzz)tests not handling TCP data properly */
605 #if defined(UNITTESTS) || defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
606  if (f->proto == IPPROTO_TCP && f->protoctx == NULL)
607  return NULL;
608  if (stream_slice->input == NULL)
609  return NULL;
610 #else
611  BUG_ON(stream_slice->input == NULL);
612 #endif
613  BUG_ON(f->proto == IPPROTO_TCP && f->protoctx == NULL);
614  BUG_ON(f->alparser == NULL);
615  BUG_ON(frame_start < stream_slice->offset);
616  BUG_ON(frame_start - stream_slice->offset >= (uint64_t)INT_MAX);
617 
618  FramesContainer *frames_container = AppLayerFramesSetupContainer(f);
619  if (frames_container == NULL)
620  return NULL;
621 
622  Frames *frames;
623  if (dir == 0) {
624  frames = &frames_container->toserver;
625  } else {
626  frames = &frames_container->toclient;
627  }
628 
629  SCLogDebug("flow %p direction %s frame type %u offset %" PRIu64 " len %" PRIi64
630  " (slice offset %" PRIu64 ")",
631  f, dir == 0 ? "toserver" : "toclient", frame_type, frame_start, len,
632  stream_slice->offset);
633  Frame *r = FrameNew(frames, frame_start, len);
634  if (r != NULL) {
635  r->type = frame_type;
636  }
637  return r;
638 }
639 
640 void AppLayerFrameAddEvent(Frame *r, uint8_t e)
641 {
642  if (r != NULL) {
643  if (r->event_cnt < 4) { // TODO
644  r->events[r->event_cnt++] = e;
645  }
646  FrameDebug("add_event", NULL, r);
647  }
648 }
649 
650 void AppLayerFrameAddEventById(Flow *f, const int dir, const FrameId id, uint8_t e)
651 {
652  Frame *frame = AppLayerFrameGetById(f, dir, id);
653  AppLayerFrameAddEvent(frame, e);
654 }
655 
656 FrameId AppLayerFrameGetId(Frame *r)
657 {
658  if (r != NULL) {
659  return r->id;
660  } else {
661  return -1;
662  }
663 }
664 
665 void AppLayerFrameSetLength(Frame *frame, int64_t len)
666 {
667  if (frame != NULL) {
668  frame->len = len;
669  FrameDebug("set_length", NULL, frame);
670  }
671 }
672 
673 void AppLayerFrameSetLengthById(Flow *f, const int dir, const FrameId id, int64_t len)
674 {
675  Frame *frame = AppLayerFrameGetById(f, dir, id);
676  AppLayerFrameSetLength(frame, len);
677 }
678 
679 void AppLayerFrameSetTxId(Frame *r, uint64_t tx_id)
680 {
681  if (r != NULL) {
682  r->flags |= FRAME_FLAG_TX_ID_SET;
683  r->tx_id = tx_id;
684  FrameDebug("set_txid", NULL, r);
685  }
686 }
687 
688 void AppLayerFrameSetTxIdById(Flow *f, const int dir, const FrameId id, uint64_t tx_id)
689 {
690  Frame *frame = AppLayerFrameGetById(f, dir, id);
691  AppLayerFrameSetTxId(frame, tx_id);
692 }
693 
694 Frame *AppLayerFrameGetById(Flow *f, const int dir, const FrameId frame_id)
695 {
696  FramesContainer *frames_container = AppLayerFramesGetContainer(f);
697  SCLogDebug("get frame_id %" PRIi64 " direction %u/%s frames_container %p", frame_id, dir,
698  dir == 0 ? "toserver" : "toclient", frames_container);
699  if (frames_container == NULL)
700  return NULL;
701 
702  Frames *frames;
703  if (dir == 0) {
704  frames = &frames_container->toserver;
705  } else {
706  frames = &frames_container->toclient;
707  }
708  SCLogDebug("frames %p", frames);
709  return FrameGetById(frames, frame_id);
710 }
711 
712 Frame *AppLayerFrameGetLastOpenByType(Flow *f, const int dir, const uint8_t frame_type)
713 {
714  if (!(FrameConfigTypeIsEnabled(f->alproto, frame_type)))
715  return NULL;
716 
717  FramesContainer *frames_container = AppLayerFramesGetContainer(f);
718  SCLogDebug("get frame_type %" PRIu8 " direction %u/%s frames_container %p", frame_type, dir,
719  dir == 0 ? "toserver" : "toclient", frames_container);
720  if (frames_container == NULL)
721  return NULL;
722 
723  Frames *frames;
724  if (dir == 0) {
725  frames = &frames_container->toserver;
726  } else {
727  frames = &frames_container->toclient;
728  }
729  SCLogDebug("frames %p", frames);
730  return FrameGetLastOpenByType(frames, frame_type);
731 }
732 
733 static inline bool FrameIsDone(const Frame *frame, const uint64_t abs_right_edge)
734 {
735  /* frame with negative length means we don't know the size yet. */
736  if (frame->len < 0)
737  return false;
738 
739  const int64_t frame_abs_offset = frame->offset;
740  const int64_t frame_right_edge = frame_abs_offset + frame->len;
741  if ((uint64_t)frame_right_edge <= abs_right_edge) {
742  SCLogDebug("frame %p id %" PRIi64 " is done", frame, frame->id);
743  return true;
744  }
745  return false;
746 }
747 
748 static void FramePrune(Frames *frames, const TcpStream *stream, const bool eof)
749 {
750  const uint64_t frames_le_start = (uint64_t)frames->left_edge_rel + STREAM_BASE_OFFSET(stream);
751  SCLogDebug("start: left edge %" PRIu64 ", left_edge_rel %u, stream base %" PRIu64,
752  (uint64_t)frames->left_edge_rel + STREAM_BASE_OFFSET(stream), frames->left_edge_rel,
753  STREAM_BASE_OFFSET(stream));
754  const uint64_t acked = StreamTcpGetUsable(stream, eof);
755  uint64_t le = STREAM_APP_PROGRESS(stream);
756 
757  const uint16_t start = frames->cnt;
758  uint16_t removed = 0;
759  uint16_t x = 0;
760  for (uint16_t i = 0; i < frames->cnt; i++) {
761  if (i < FRAMES_STATIC_CNT) {
762  Frame *frame = &frames->sframes[i];
763  FrameDebug("prune(s)", frames, frame);
764  if (eof || FrameIsDone(frame, acked)) {
765  // remove by not incrementing 'x'
766  SCLogDebug("removing %p id %" PRIi64, frame, frame->id);
767  FrameDebug("remove(s)", frames, frame);
768  FrameClean(frame);
769  removed++;
770  } else {
771  const uint64_t fle = FrameLeftEdge(stream, frame);
772  le = MIN(le, fle);
773  SCLogDebug("le %" PRIu64 ", frame fle %" PRIu64, le, fle);
774  Frame *nframe = &frames->sframes[x];
775  FrameCopy(nframe, frame);
776  if (frame != nframe) {
777  FrameClean(frame);
778  }
779  x++;
780  }
781  } else {
782  const uint16_t o = i - FRAMES_STATIC_CNT;
783  Frame *frame = &frames->dframes[o];
784  FrameDebug("prune(d)", frames, frame);
785  if (eof || FrameIsDone(frame, acked)) {
786  // remove by not incrementing 'x'
787  SCLogDebug("removing %p id %" PRIi64, frame, frame->id);
788  FrameDebug("remove(d)", frames, frame);
789  FrameClean(frame);
790  removed++;
791  } else {
792  const uint64_t fle = FrameLeftEdge(stream, frame);
793  le = MIN(le, fle);
794  SCLogDebug("le %" PRIu64 ", frame fle %" PRIu64, le, fle);
795  Frame *nframe;
796  if (x >= FRAMES_STATIC_CNT) {
797  nframe = &frames->dframes[x - FRAMES_STATIC_CNT];
798  } else {
799  nframe = &frames->sframes[x];
800  }
801  FrameCopy(nframe, frame);
802  if (frame != nframe) {
803  FrameClean(frame);
804  }
805  x++;
806  }
807  }
808  }
809  frames->cnt = x;
810  DEBUG_VALIDATE_BUG_ON(le < STREAM_BASE_OFFSET(stream));
811  DEBUG_VALIDATE_BUG_ON(le - STREAM_BASE_OFFSET(stream) > UINT32_MAX);
812  frames->left_edge_rel = (uint32_t)(le - STREAM_BASE_OFFSET(stream));
813 #ifdef DEBUG
814  SCLogDebug("end: left edge %" PRIu64 ", left_edge_rel %u, stream base %" PRIu64
815  ", cnt %u, removed %u, start %u",
816  (uint64_t)frames->left_edge_rel + STREAM_BASE_OFFSET(stream), frames->left_edge_rel,
817  STREAM_BASE_OFFSET(stream), frames->cnt, removed, start);
818  AppLayerFrameDumpForFrames("post_slide", frames);
819 #endif
820  if (frames->cnt > 0) { // if we removed all this can fail
821  BUG_ON(frames_le_start > le);
822  }
823  BUG_ON(x != start - removed);
824 }
825 
826 void FramesPrune(Flow *f, Packet *p)
827 {
828  if (f->proto == IPPROTO_TCP && f->protoctx == NULL)
829  return;
830  FramesContainer *frames_container = AppLayerFramesGetContainer(f);
831  if (frames_container == NULL)
832  return;
833 
834  Frames *frames;
835 
836  if (p->proto == IPPROTO_UDP) {
837  SCLogDebug("clearing all UDP frames");
838  if (PKT_IS_TOSERVER(p)) {
839  frames = &frames_container->toserver;
840  } else {
841  frames = &frames_container->toclient;
842  }
843  FramesClear(frames);
844  return;
845  }
846 
847  TcpSession *ssn = f->protoctx;
848 
849  if (ssn->flags & STREAMTCP_FLAG_APP_LAYER_DISABLED) {
850  AppLayerFramesFreeContainer(f);
851  return;
852  }
853 
854  TcpStream *stream;
855  if (PKT_IS_TOSERVER(p)) {
856  stream = &ssn->client;
857  frames = &frames_container->toserver;
858  } else {
859  stream = &ssn->server;
860  frames = &frames_container->toclient;
861  }
862 
863  const bool eof = ssn->state == TCP_CLOSED || PKT_IS_PSEUDOPKT(p);
864  SCLogDebug("eof %s", eof ? "TRUE" : "false");
865  FramePrune(frames, stream, eof);
866 }
AppLayerFrameSetLengthById
void AppLayerFrameSetLengthById(Flow *f, const int dir, const FrameId id, int64_t len)
Definition: app-layer-frames.c:673
Packet_::proto
uint8_t proto
Definition: decode.h:498
TcpStream_
Definition: stream-tcp-private.h:106
Frame::inspect_progress
uint64_t inspect_progress
Definition: app-layer-frames.h:53
len
uint8_t len
Definition: app-layer-dnp3.h:2
Frame::tx_id
uint64_t tx_id
Definition: app-layer-frames.h:52
offset
uint64_t offset
Definition: util-streaming-buffer.h:0
FrameConfig::SC_ATOMIC_DECLARE
SC_ATOMIC_DECLARE(uint64_t, types)
SC_ATOMIC_INIT
#define SC_ATOMIC_INIT(name)
wrapper for initializing an atomic variable.
Definition: util-atomic.h:314
FramesFree
void FramesFree(Frames *frames)
Definition: app-layer-frames.c:447
AppLayerFrameAddEvent
void AppLayerFrameAddEvent(Frame *r, uint8_t e)
Definition: app-layer-frames.c:640
PKT_IS_PSEUDOPKT
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1321
stream-tcp.h
unlikely
#define unlikely(expr)
Definition: util-optimize.h:35
SCLogDebug
#define SCLogDebug(...)
Definition: util-debug.h:269
Frame::events
uint8_t events[4]
Definition: app-layer-frames.h:48
Flow_::proto
uint8_t proto
Definition: flow.h:379
AppProto
uint16_t AppProto
Definition: app-layer-protos.h:85
FramesContainer::toserver
Frames toserver
Definition: app-layer-frames.h:72
AppLayerFramesSetupContainer
FramesContainer * AppLayerFramesSetupContainer(Flow *f)
Definition: app-layer-parser.c:180
Frame::offset
uint64_t offset
Definition: app-layer-frames.h:49
Frame
Definition: app-layer-frames.h:43
Flow_
Flow data structure.
Definition: flow.h:357
AppLayerFrameSetTxIdById
void AppLayerFrameSetTxIdById(Flow *f, const int dir, const FrameId id, uint64_t tx_id)
Definition: app-layer-frames.c:688
FrameConfig
Definition: app-layer-frames.c:33
Frames::cnt
uint16_t cnt
Definition: app-layer-frames.h:59
AppLayerFrameSetTxId
void AppLayerFrameSetTxId(Frame *r, uint64_t tx_id)
Definition: app-layer-frames.c:679
Frame::id
int64_t id
Definition: app-layer-frames.h:51
FrameGetByIndex
Frame * FrameGetByIndex(Frames *frames, const uint32_t idx)
Definition: app-layer-frames.c:144
MIN
#define MIN(x, y)
Definition: suricata-common.h:391
Frames
Definition: app-layer-frames.h:58
FramesContainer
Definition: app-layer-frames.h:71
AppLayerFrameGetId
FrameId AppLayerFrameGetId(Frame *r)
Definition: app-layer-frames.c:656
Frames::left_edge_rel
uint32_t left_edge_rel
Definition: app-layer-frames.h:61
AppLayerFrameNewByAbsoluteOffset
Frame * AppLayerFrameNewByAbsoluteOffset(Flow *f, const StreamSlice *stream_slice, const uint64_t frame_start, const int64_t len, int dir, uint8_t frame_type)
create new frame using the absolute offset from the start of the stream
Definition: app-layer-frames.c:598
AppLayerFrameGetLastOpenByType
Frame * AppLayerFrameGetLastOpenByType(Flow *f, const int dir, const uint8_t frame_type)
Definition: app-layer-frames.c:712
Flow_::protoctx
void * protoctx
Definition: flow.h:442
StreamTcpGetUsable
uint64_t StreamTcpGetUsable(const TcpStream *stream, const bool eof)
Definition: stream-tcp-reassemble.c:427
Frames::dframes
Frame * dframes
Definition: app-layer-frames.h:64
TcpSession_::flags
uint32_t flags
Definition: stream-tcp-private.h:294
Flow_::alparser
AppLayerParserState * alparser
Definition: flow.h:476
FramesContainer::toclient
Frames toclient
Definition: app-layer-frames.h:73
PKT_IS_TOSERVER
#define PKT_IS_TOSERVER(p)
Definition: decode.h:234
AppLayerParserGetFrameNameById
const char * AppLayerParserGetFrameNameById(uint8_t ipproto, AppProto alproto, const uint8_t id)
Definition: app-layer-parser.c:1590
g_alproto_max
AppProto g_alproto_max
Definition: app-layer-protos.c:29
AppLayerFramesFreeContainer
void AppLayerFramesFreeContainer(Flow *f)
Definition: app-layer-parser.c:165
FrameGetById
Frame * FrameGetById(Frames *frames, const int64_t id)
Definition: app-layer-frames.c:124
FRAME_FLAG_TX_ID_SET
#define FRAME_FLAG_TX_ID_SET
Definition: app-layer-frames.h:36
STREAM_BASE_OFFSET
#define STREAM_BASE_OFFSET(stream)
Definition: stream-tcp-private.h:144
util-print.h
TcpSession_::state
uint8_t state
Definition: stream-tcp-private.h:285
FrameId
int64_t FrameId
Definition: app-layer-frames.h:32
AppLayerFramesSlide
void AppLayerFramesSlide(Flow *f, const uint32_t slide, const uint8_t direction)
Definition: app-layer-frames.c:402
app-layer-parser.h
BUG_ON
#define BUG_ON(x)
Definition: suricata-common.h:300
AppLayerFrameAddEventById
void AppLayerFrameAddEventById(Flow *f, const int dir, const FrameId id, uint8_t e)
Definition: app-layer-frames.c:650
FRAMES_STATIC_CNT
#define FRAMES_STATIC_CNT
Definition: app-layer-frames.h:56
Packet_
Definition: decode.h:476
type
uint16_t type
Definition: decode-vlan.c:107
AppLayerFramesGetContainer
FramesContainer * AppLayerFramesGetContainer(Flow *f)
Definition: app-layer-parser.c:173
Frame::len
int64_t len
Definition: app-layer-frames.h:50
Frame
struct Frame Frame
BIT_U64
#define BIT_U64(n)
Definition: suricata-common.h:401
Frame::flags
uint8_t flags
Definition: app-layer-frames.h:45
SCRealloc
#define SCRealloc(ptr, sz)
Definition: util-mem.h:50
TCP_CLOSED
@ TCP_CLOSED
Definition: stream-tcp-private.h:162
app-layer-frames.h
Frame::type
uint8_t type
Definition: app-layer-frames.h:44
suricata-common.h
Frame::event_cnt
uint8_t event_cnt
Definition: app-layer-frames.h:46
FatalError
#define FatalError(...)
Definition: util-debug.h:502
Frames::sframes
Frame sframes[FRAMES_STATIC_CNT]
Definition: app-layer-frames.h:63
AppLayerFrameNewByPointer
Frame * AppLayerFrameNewByPointer(Flow *f, const StreamSlice *stream_slice, const uint8_t *frame_start, const int64_t len, int dir, uint8_t frame_type)
create new frame using a pointer to start of the frame
Definition: app-layer-frames.c:457
FrameConfigEnableAll
void FrameConfigEnableAll(void)
Definition: app-layer-frames.c:55
TcpSession_::client
TcpStream client
Definition: stream-tcp-private.h:297
FrameConfigInit
void FrameConfigInit(void)
Definition: app-layer-frames.c:39
AppLayerFrameGetById
Frame * AppLayerFrameGetById(Flow *f, const int dir, const FrameId frame_id)
Definition: app-layer-frames.c:694
FRAME_STREAM_TYPE
#define FRAME_STREAM_TYPE
Definition: app-layer-frames.h:30
TcpSession_::server
TcpStream server
Definition: stream-tcp-private.h:296
FramesPrune
void FramesPrune(Flow *f, Packet *p)
Definition: app-layer-frames.c:826
SCFree
#define SCFree(p)
Definition: util-mem.h:61
FrameGetLastOpenByType
Frame * FrameGetLastOpenByType(Frames *frames, const uint8_t frame_type)
Definition: app-layer-frames.c:101
Frames::base_id
uint64_t base_id
Definition: app-layer-frames.h:62
src
uint16_t src
Definition: app-layer-dnp3.h:5
FrameConfigEnable
void FrameConfigEnable(const AppProto p, const uint8_t type)
Definition: app-layer-frames.c:64
AppLayerFrameDump
void AppLayerFrameDump(Flow *f)
Definition: app-layer-frames.c:583
STREAMTCP_FLAG_APP_LAYER_DISABLED
#define STREAMTCP_FLAG_APP_LAYER_DISABLED
Definition: stream-tcp-private.h:201
AppLayerFrameNewByRelativeOffset
Frame * AppLayerFrameNewByRelativeOffset(Flow *f, const StreamSlice *stream_slice, const uint32_t frame_start_rel, const int64_t len, int dir, uint8_t frame_type)
create new frame using a relative offset from the start of the stream slice
Definition: app-layer-frames.c:536
STREAM_APP_PROGRESS
#define STREAM_APP_PROGRESS(stream)
Definition: stream-tcp-private.h:145
dst
uint16_t dst
Definition: app-layer-dnp3.h:4
SC_ATOMIC_GET
#define SC_ATOMIC_GET(name)
Get the value from the atomic variable.
Definition: util-atomic.h:375
TcpSession_
Definition: stream-tcp-private.h:283
FrameConfigDeInit
void FrameConfigDeInit(void)
Definition: app-layer-frames.c:50
flow.h
Flow_::alproto
AppProto alproto
application level protocol
Definition: flow.h:451
SCCalloc
#define SCCalloc(nm, sz)
Definition: util-mem.h:53
DEBUG_VALIDATE_BUG_ON
#define DEBUG_VALIDATE_BUG_ON(exp)
Definition: util-validate.h:102
Frames::dyn_size
uint16_t dyn_size
Definition: app-layer-frames.h:60
AppLayerFrameSetLength
void AppLayerFrameSetLength(Frame *frame, int64_t len)
Definition: app-layer-frames.c:665
SC_ATOMIC_OR
#define SC_ATOMIC_OR(name, val)
Bitwise OR a value to our atomic variable.
Definition: util-atomic.h:350
FrameDebug
#define FrameDebug(prefix, frames, frame)
Definition: app-layer-frames.c:95